iTwin: Creating a secure, 'unlimited' USB drive

Paul Mah examines the iTwin and its promises of simple and secure file transfer between two online computers.

You may have read about the iTwin, the sleek looking $99 gadget whose claim to fame is its promises of simple and secure file transfer between two online computers. Its unique premise revolves around physical ownership of one half of the iTwin dongle required to forge a virtual link with its other half - giving the product a level of simplicity that even your grandma should have no problem with.

How it works is this: Plugging one end of the double-ended USB iTwin dongle while it's "paired" automatically initializes it, creating an encryption key that is stored on both halves of the device. When split up and plugged into two computers, the iTwin software automatically installs and makes use of this encryption key to facilitate the secure transfer of data - drag and drop style - over the Internet. The iTwin works behind firewalls, as well as on both the PC and Mac.

The obvious downside, of course, is that the source computer has to be left switched on with Internet access, though its creators would like you to think that this is a comparatively small price to pay.

An idea that just "grew and grew"

The product was the brainchild of company CEO Lux Anantharaman, who went on to co-found the Singapore company - also named iTwin - with company COO Kal Takru in October 2010.

The company went on to launch the iTwin on the global stage at CES 2011. When I spoke with Takru late last year, he told me how the idea was actually conceptualized in early 2008 and developed with A*STAR as an exploratory project that just "grew and grew." A*STAR stands for Agency for Science, Technology and Research and is a government agency dedicated to fostering scientific research in Singapore. Today, iTwin has 25 full time employees, as well as an office in Boson, Massachusetts.

Each half of the iTwin incorporates a microchip that creates a common random key used to find its paired half on the Internet. A server maintained by iTwin facilitates this process to allow the iTwin to work through firewalls. There is no way for anyone to snoop on the data even if the iTwin server is compromised, says Takru, and data will be routed directly if both end nodes are on the local network. The software driver currently performs the encryption and data compression, though the next step is to incorporate a chip within the iTwin to perform this in hardware.

Unique proposition

It is easy to understand the value proposition of not storing sensitive data in a USB flash drive where it could be misplaced or stolen. Yet cloud storage does not suffer from this weakness, and is a far more popular option. So does the iTwin offer any advantage over it?

In an email message, Anantharaman pointed to how the passwords used to secure data stored in the cloud are "a notoriously insecure security mechanism" and susceptible to brute-force attacks. Moreover, while most of us assume that the data for our favorite cloud providers are based in the United States, IT professionals know that it may not necessarily be the case.

Anantharaman puts it this way: "Files may be stored in a country with different legal frameworks that may allow them to treat that information with less care. That can be a legal nightmare for businesses storing sensitive information such as accounting documents or client data."

Finally, he also pointed to the typical behaviors about data that is no longer needed as another reason to avoid cloud storage. "Most small businesses don't manage their files very well after they are no longer needed, and undeleted documents containing sensitive information are likely to litter cloud environments," says Anantharaman. "Many of these files will probably still have the same sharing permissions that they were given when they were used, creating a security risk that persists long after those files have been forgotten."

The company in January this year unveiled a free iTwin Multi upgrade that allows multiple iTwins to be used on the same computer. You can purchase the iTwin here, or read more about iTwin Multi here.

About Paul Mah

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

Full Bio

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

This device serves only one purpose: to distribute encryption keys "securely".
You could do the same, by generating the keys on one computer and send it to the other computer, is some "secure" way: from the most primitive via an USB drive, e-mail, wireless, to more secure like encrypted key exchange protocol.
Considering, that the device only stores the key, and nothing else, it's functionality is equivalent of ANY smart card. About the only benefit offered is the 'automatic' exchange of keys between both smartcards.
It could be more useful if the device is able to process the encryption in hardware, that is, within the device but this is limited by USB's transfer speed and might make things slow. Also, in order to encrypt at 'full' USB speed, the thing will need more powerful crypto processor and will cost a lot more.
You could use any other key generation/storage method and fancy looking software with the same effect.

Does this device appear to a workstation as a removable storage device? We can currently disable removable storage if we are concerned about information (literally) walking out the door, but how would someone protect against the possibility of this device funneling data off-site (at a much faster rate, at that)?

@Gisabun Thanks for your feedback. I thought the blog would be incomplete without a link to its purchase page. Its definitely not an advertisement...! Appreciate your feedback - will take note in future. :)